void RestoreBaseType() { var moduleType = DotNetUtils.GetModuleType(module); foreach (var type in module.GetTypes()) { if (!IsTypeWithInvalidBaseType(moduleType, type)) { continue; } var corSig = module.CorLibTypes.GetCorLibTypeSig(type); if (corSig != null && corSig.ElementType == ElementType.Object) { continue; } Logger.v("Adding System.Object as base type: {0} ({1:X8})", Utils.RemoveNewlines(type), type.MDToken.ToInt32()); type.BaseType = module.CorLibTypes.Object.TypeDefOrRef; } }
public void FindMethods() { var moduleType = DotNetUtils.GetModuleType(Module); if (moduleType == null) { return; } var delegateMethods = new List <MethodDef>(); foreach (var method in moduleType.Methods) { if (!IsDelegateMethod(method)) { continue; } delegateMethods.Add(method); //Console.WriteLine("Found Delegate Method {0}", method.Name); } Methods = delegateMethods; }
void DeleteTypes() { var types = module.Types; if (types == null || typesToRemove.Count == 0) { return; } Logger.v("Removing types"); Logger.Instance.Indent(); var moduleType = DotNetUtils.GetModuleType(module); foreach (var info in typesToRemove) { var typeDef = info.obj; if (typeDef == null || typeDef == moduleType) { continue; } bool removed; if (typeDef.DeclaringType != null) { removed = typeDef.DeclaringType.NestedTypes.Remove(typeDef); } else { removed = types.Remove(typeDef); } if (removed) { Logger.v("Removed type {0} ({1:X8}) (reason: {2})", Utils.RemoveNewlines(typeDef), typeDef.MDToken.ToUInt32(), info.reason); } } Logger.Instance.DeIndent(); }
public void FindFields() { if (Methods == null || Methods.Count == 0) { return; } var initializations = new List <DelegateInitInfo>(); var mnoduleType = DotNetUtils.GetModuleType(Module); if (mnoduleType != null) { foreach (var method in mnoduleType.Methods) { var inits = FindFieldInitializations(method); if (inits == null || inits.Count == 0) { continue; } initializations.AddRange(inits); } } foreach (var type in Module.GetTypes()) { if (!DotNetUtils.DerivesFromDelegate(type)) { continue; } var inits = FindFieldInitializations(type.FindStaticConstructor()); if (inits == null || inits.Count == 0) { continue; } initializations.AddRange(inits); } Initializations = initializations; }
public void Find() { var type = DotNetUtils.GetModuleType(module); if (type == null) { return; } foreach (var method in type.Methods) { if (!method.IsStatic || method.Body == null) { continue; } if (!DotNetUtils.IsMethod(method, "System.Object", "(System.UInt32)")) { continue; } var info = new DecrypterInfo(); var localTypes = new LocalTypes(method); if (localTypes.All(requiredLocals1)) { if (localTypes.Exists("System.Collections.BitArray")) // or System.Random { version = ConfuserVersion.v15_r60785_normal; } else if (DeobUtils.HasInteger(method, 0x100) && DeobUtils.HasInteger(method, 0x10000) && DeobUtils.HasInteger(method, 0xFFFF)) { version = ConfuserVersion.v17_r73404_normal; } else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[])")) { if (FindInstruction(method.Body.Instructions, 0, Code.Conv_I8) >= 0) { if (DotNetUtils.CallsMethod(method, "System.Void System.Console::WriteLine()")) { version = ConfuserVersion.v15_r60785_dynamic; } else { version = ConfuserVersion.v17_r72989_dynamic; } } else { version = ConfuserVersion.v17_r73740_dynamic; } } else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[],System.Int32,System.Int32)")) { if ((nativeMethod = FindNativeMethod(method)) == null) { version = ConfuserVersion.v17_r73764_dynamic; } else { version = ConfuserVersion.v17_r73764_native; } } else { continue; } } else if (localTypes.All(requiredLocals2)) { if (DeobUtils.HasInteger(method, 0x100) && DeobUtils.HasInteger(method, 0x10000) && DeobUtils.HasInteger(method, 0xFFFF)) { version = ConfuserVersion.v17_r73822_normal; } else if (DotNetUtils.CallsMethod(method, "System.Int32 System.Object::GetHashCode()")) { if ((nativeMethod = FindNativeMethod(method)) == null) { version = ConfuserVersion.v17_r74021_dynamic; } else { version = ConfuserVersion.v17_r74021_native; } } else if ((nativeMethod = FindNativeMethod(method)) == null) { version = ConfuserVersion.v17_r73822_dynamic; } else { version = ConfuserVersion.v17_r73822_native; } } else { continue; } info.decryptMethod = method; theDecrypterInfo = info; Add(info); break; } }
public void Find(ISimpleDeobfuscator simpleDeobfuscator) { var type = DotNetUtils.GetModuleType(module); if (type == null) { return; } foreach (var method in type.Methods) { if (!method.IsStatic || method.Body == null) { continue; } if (!DotNetUtils.IsMethod(method, "System.String", "(System.Int32)")) { continue; } var localTypes = new LocalTypes(method); if (!localTypes.All(requiredLocals)) { continue; } simpleDeobfuscator.Deobfuscate(method); bool foundOldMagic1; if (FindMagic1(method, out magic1)) { foundOldMagic1 = true; } else if (FindNewMagic1(method, out magic1)) { foundOldMagic1 = false; } else { continue; } if (!FindMagic2(method, out magic2)) { continue; } version = ConfuserVersion.Unknown; if (DotNetUtils.CallsMethod(method, "System.Text.Encoding System.Text.Encoding::get_UTF8()")) { if (foundOldMagic1) { if (DotNetUtils.CallsMethod(method, "System.Object System.AppDomain::GetData(System.String)")) { version = ConfuserVersion.v13_r55604_safe; } else { version = ConfuserVersion.v10_r42915; } } else { if (!FindSafeKey1(method, out key1)) { continue; } version = ConfuserVersion.v14_r58802_safe; } } else if (!localTypes.Exists("System.Random")) { if (foundOldMagic1) { version = ConfuserVersion.v11_r49299; } else { version = ConfuserVersion.v14_r58802_dynamic; } } else if (localTypes.Exists("System.Collections.Generic.Dictionary`2<System.Int32,System.String>")) { version = ConfuserVersion.v10_r48832; } if (version == ConfuserVersion.Unknown) { continue; } decryptMethod = method; break; } }
public void FindDelegateCreator(ISimpleDeobfuscator simpleDeobfuscator) { var type = DotNetUtils.GetModuleType(module); if (type == null) return; foreach (var method in type.Methods) { if (method.Body == null || !method.IsStatic || !method.IsAssembly) continue; var theVersion = ConfuserVersion.Unknown; if (DotNetUtils.IsMethod(method, "System.Void", "(System.String,System.RuntimeFieldHandle)")) theVersion = ConfuserVersion.v10_r42915; else if (DotNetUtils.IsMethod(method, "System.Void", "(System.RuntimeFieldHandle)")) theVersion = ConfuserVersion.v10_r48717; else continue; var proxyType = GetProxyCreatorType(method, simpleDeobfuscator, out int tmpVer); if (proxyType == ProxyCreatorType.None) continue; if (proxyType == ProxyCreatorType.Newobj) foundNewobjProxy = true; simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs); MethodDef nativeMethod = null; if (FindMagic_v14_r58564(method, out uint magic)) { if (!DotNetUtils.CallsMethod(method, "System.Byte[] System.Convert::FromBase64String(System.String)")) { if (!IsMethodCreator_v14_r58802(method, proxyType)) theVersion = ConfuserVersion.v14_r58564; else theVersion = ConfuserVersion.v14_r58802; } else if (DotNetUtils.CallsMethod(method, "System.Reflection.Module System.Reflection.MemberInfo::get_Module()")) theVersion = ConfuserVersion.v17_r73479; else if (proxyType != ProxyCreatorType.CallOrCallvirt || !HasFieldReference(method, "System.Reflection.Emit.OpCode System.Reflection.Emit.OpCodes::Castclass")) theVersion = ConfuserVersion.v14_r58857; else if (proxyType == ProxyCreatorType.CallOrCallvirt && DotNetUtils.CallsMethod(method, "System.Void System.Reflection.Emit.DynamicMethod::.ctor(System.String,System.Type,System.Type[],System.Boolean)")) theVersion = ConfuserVersion.v16_r66631; else if (proxyType == ProxyCreatorType.CallOrCallvirt) theVersion = ConfuserVersion.v16_r70489; } else if (!DotNetUtils.CallsMethod(method, "System.Byte[] System.Convert::FromBase64String(System.String)") && DotNetUtils.CallsMethod(method, "System.Reflection.MethodBase System.Reflection.Module::ResolveMethod(System.Int32)")) { if (proxyType == ProxyCreatorType.CallOrCallvirt && !FindCallvirtChar(method, out callvirtChar)) continue; if ((nativeMethod = FindNativeMethod_v18_r75367(method)) != null) theVersion = proxyType != ProxyCreatorType.CallOrCallvirt || callvirtChar == 9 ? ConfuserVersion.v18_r75367_native : ConfuserVersion.v18_r75369_native; else if (FindMagic_v18_r75367(method, out magic)) theVersion = proxyType != ProxyCreatorType.CallOrCallvirt || callvirtChar == 9 ? ConfuserVersion.v18_r75367_normal : ConfuserVersion.v18_r75369_normal; else if (FindMagic_v19_r76101(method, out magic)) CommonCheckVersion19(method, true, tmpVer, ref theVersion); else if ((nativeMethod = FindNativeMethod_v19_r76101(method)) != null) CommonCheckVersion19(method, false, tmpVer, ref theVersion); else { if (proxyType == ProxyCreatorType.CallOrCallvirt && !DotNetUtils.CallsMethod(method, "System.Int32 System.String::get_Length()")) theVersion = ConfuserVersion.v11_r50378; int numCalls = ConfuserUtils.CountCalls(method, "System.Byte[] System.Text.Encoding::GetBytes(System.Char[],System.Int32,System.Int32)"); if (numCalls == 2) theVersion = ConfuserVersion.v12_r54564; if (!DotNetUtils.CallsMethod(method, "System.Reflection.Assembly System.Reflection.Assembly::Load(System.Reflection.AssemblyName)")) theVersion = ConfuserVersion.v13_r55346; if (DotNetUtils.CallsMethod(method, "System.Void System.Runtime.CompilerServices.RuntimeHelpers::RunClassConstructor(System.RuntimeTypeHandle)")) theVersion = ConfuserVersion.v13_r55604; } } else if (Is_v17_r73740(method)) { if (DotNetUtils.CallsMethod(method, "System.Boolean System.Type::get_IsArray()")) { if ((nativeMethod = FindNativeMethod_v17_r73740(method)) != null) theVersion = ConfuserVersion.v17_r74708_native; else if (FindMagic_v17_r73740(method, out magic)) theVersion = ConfuserVersion.v17_r74708_normal; else continue; } else { if ((nativeMethod = FindNativeMethod_v17_r73740(method)) != null) theVersion = ConfuserVersion.v17_r73740_native; else if (FindMagic_v17_r73740(method, out magic)) theVersion = ConfuserVersion.v17_r73740_normal; else continue; } } else if (theVersion == ConfuserVersion.v10_r42915) { if (DeobUtils.HasInteger(method, 0x06000000)) theVersion = ConfuserVersion.v10_r42919; } SetDelegateCreatorMethod(method); methodToInfo.Add(method, new ProxyCreatorInfo(method, proxyType, theVersion, magic, nativeMethod, callvirtChar)); version = (ConfuserVersion)Math.Max((int)version, (int)theVersion); } }
bool CheckMethod_safe(TypeDef type, MethodDef initMethod) { if (type == DotNetUtils.GetModuleType(module)) { if (!DotNetUtils.HasString(initMethod, "Debugger detected (Managed)")) { return(false); } if (!CheckProfilerStrings1(initMethod)) { return(false); } version = ConfuserVersion.v14_r57588_safe; } else { var ntQueryInformationProcess = DotNetUtils.GetPInvokeMethod(type, "ntdll", "NtQueryInformationProcess"); if (ntQueryInformationProcess == null) { return(false); } if (DotNetUtils.GetPInvokeMethod(type, "ntdll", "NtSetInformationProcess") == null) { return(false); } if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "CloseHandle") == null) { return(false); } var antiDebugMethod = GetAntiDebugMethod(type, initMethod); if (antiDebugMethod == null) { return(false); } bool hasDebuggerStrings = DotNetUtils.HasString(antiDebugMethod, "Debugger detected (Managed)") || DotNetUtils.HasString(antiDebugMethod, "Debugger is detected (Managed)"); if (!DotNetUtils.CallsMethod(initMethod, "System.Void System.Threading.Thread::.ctor(System.Threading.ParameterizedThreadStart)")) { return(false); } if (ConfuserUtils.CountCalls(antiDebugMethod, ntQueryInformationProcess) != 0) { return(false); } if (!CheckProfilerStrings1(initMethod) && !CheckProfilerStrings2(initMethod)) { return(false); } int failFastCalls = ConfuserUtils.CountCalls(antiDebugMethod, "System.Void System.Environment::FailFast(System.String)"); if (failFastCalls != 2) { return(false); } if (hasDebuggerStrings) { if (!DotNetUtils.CallsMethod(antiDebugMethod, "System.Void System.Threading.Thread::.ctor(System.Threading.ParameterizedThreadStart)")) { version = ConfuserVersion.v16_r61954_safe; } else if (DotNetUtils.GetPInvokeMethod(type, "IsDebuggerPresent") == null) { version = ConfuserVersion.v17_r73822_safe; } else if (CheckProfilerStrings1(initMethod)) { version = ConfuserVersion.v17_r74021_safe; } else { version = ConfuserVersion.v19_r76119_safe; } } else { version = ConfuserVersion.v19_r78363_safe; } } return(true); }